Getting Data In

Masking IP in PROPS.CONF using SEDCMD

csingh23
New Member

Hi guys,

I am trying to run a sedcmd in props.conf and this is regex that I need to replace my internal IPs.

SEDCMD-replace=s/"Device Address"=(\d{1,3}\.\d{1,3}\.\d{1,3})\.(\d{1,3})/"Device Address"=123.234.222.111/g

When I restart Splunk and run a search on Splunk Web, I do not see my IPs masked, they are still the same.
Also I did find similar questions about multiple sed commands in one stanza in same props.conf, but it isn't likely to be working on mine.

Any help will be greatly appreciated.

Thank You!

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Assuming the precise things you are trying to change appear in your events like this:

"Device Address"=123.234.222.111

You can test your sedcmd in a rex in a search:

* | eval a_test="\"Device Address\"=123.234.222.111" | rex mode=sed field=a_test "s/\"Device Address\"=(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/\"Device Address\"=111.222.333.444/"

That results in a field a_test that's precisely like this:

"Device Address"=111.222.333.444

So if you want to sedcmd it in props, you will end up like this.

SEDCMD-replace=s/\"Device Address\"=(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/\"Device Address\"=111.222.333.444/

Give that a try and let us know how it goes. You'll need to make sure you put it in a stanza that applies to the sourcetype/source that matches the data.

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

Assuming the precise things you are trying to change appear in your events like this:

"Device Address"=123.234.222.111

You can test your sedcmd in a rex in a search:

* | eval a_test="\"Device Address\"=123.234.222.111" | rex mode=sed field=a_test "s/\"Device Address\"=(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/\"Device Address\"=111.222.333.444/"

That results in a field a_test that's precisely like this:

"Device Address"=111.222.333.444

So if you want to sedcmd it in props, you will end up like this.

SEDCMD-replace=s/\"Device Address\"=(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/\"Device Address\"=111.222.333.444/

Give that a try and let us know how it goes. You'll need to make sure you put it in a stanza that applies to the sourcetype/source that matches the data.

0 Karma

csingh23
New Member

That works. In raw events it is masking but It still did not mask the IPs in Device Address field. I need to mask the field value of this field.

For eg:
11/7/15 2015/08.23, 123.234.222.111
1:40:54:000 PM Device Address= 172.186.151.234

I want to mask the Device address field too. Any ideas how to do that.

Thanks

0 Karma

Richfez
SplunkTrust
SplunkTrust

Sorry, I misunderstood. I might still have it wrong, but try this...

You can mask off all of the IPs in those events by changing the sedcmd to not worry about the string "Device Address", and add the global flag at the end (like you originally had).

SEDCMD-replace=s/(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/1.2.3.4/g

That takes any IPv4 address in those events and replaces them with "1.2.3.4"

If that's what you need, great! If not, can you take the event you listed just above and please mask it off like you want so I can actually see what it is you want? Use something like A.B.C.D as the "masked" address so I can be sure the right things get changed.

Addendum: You know, I just realized that we're not using capture groups for anything, so we don't need the () groups. Untested, but this should work just fine (and be a lot easier to read).

SEDCMD-replace=s/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/1.2.3.4/g

Thanks!

csingh23
New Member

Thanks a lot! It worked...

0 Karma

Richfez
SplunkTrust
SplunkTrust

Oh, the regular sedcmd doesn't need quotes around it, so I believe that means you don't need to escape the quotes. For the sedcmd, it should then be:

SEDCMD-replace=s/"Device Address"=(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/"Device Address"=111.222.333.444/

Sorry about that.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...